Windows security Token Bloat

… the problem could be minor, or relatively major. You may get weird access denied messages, applications crashing, or strange entries in your event logs. Or worse yet a SID for a group that has a ‘deny permission’ on an object could be dropped into the virtual bit bucket, allowing a user to access a resource they are not supposed to access.

…

Summary of fixes for token bloat:

Use global or universal groups instead of domain local.

Increase the MaxTokenSize on all computers

Convert security groups to distribution groups if they are only used for email lists.

…

There is a hard-coded limit of 1,024 SIDs for the Kerberos PAC (privilege attribute certificate)